Tuesday, October 07, 2008

Hello ClearClick, Goodbye Clickjacking!

There has been a lot of discussion in the forums that I particpate in regarding Clickjacking. Everyone agreed that blocking IFRAMES with NoScript was at least a work-around.

NoScript just got better! The latest update to NoScript has clickjacking blocked by default!

To repeat, NoScript, the Firefox extension that puts you in control of sites that you allow JavaScript, Java, Flash, and other plugins has been updated to include anti-clickjacking countermeasures enabled by default. The anti-clickjacking addition is completely independent of blocking IFRAMEs and plugins.

For complete information, read the description by the NoScript developer at Hello ClearClick, Goodbye Clickjacking!

Update (Hat Tip R-C): In Webcam hijack demo highlights clickjacking threat is information regarding a demo of clickjacking:
"In Guy Aharonovsky’s demo game, a Web page is set up to seamlessly hide another page in the background that’s actually managing the target’s Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user’s clicks to modify the Flash privacy settings and take complete control of the installed webcam.

If you don’t want to try it or don’t have a webcam connected, you can see the attack in action in this YouTube video. YouTube video"

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: